Privileged apps such as web browsers can make a Credential Manager call on
behalf of other relying parties by setting the origin parameter in Credential
Manager's GetCredentialRequest() and
CreatePublicKeyCredentialRequest() methods.
The origin represents the application or website that a
request comes from, and is used by passkeys to protect against phishing attacks.
An app's servers are required to check the client data origin against an
allowlist of approved apps and websites. If the server receives a request from
an app or website from an unrecognized origin, the request should be rejected.
This document describes how to set the origin for such privileged calling apps,
and how to verify such apps are allowed to make calls on behalf of other
parties.
Set the origin of the calling app
To get credentials on behalf of another relying party, the credential provider
that supplies the credentials must add your app to a list of privileged callers
that are allowed to get such access. Then, use setOrigin() on
createCredential() and getCredential() requests to set the
origin value.
For privileged apps such as web browsers that need to handle third party credentials, Google Password Manager requires approval to handle those credentials. This ensures that only trusted apps are able to access and manage user credentials for external services. To be approved for handling third party credentials, complete the request form to open a ticket and have your request reviewed.